Should Curve25519 keys be validated?

While analyzing Signal with Markus, I noticed that Signal's Curve25519-based ECDH doesn't validate public keys, and in particular will accept the 0 point as a public key—leading to a shared secret equivalent to 0 regardless of the value of the private key scalar. In contrast, libsodium will return an error if the shared secret happens … Continue reading Should Curve25519 keys be validated?

Auditing code for crypto flaws: the first 30 minutes

Auditing your code for proper crypto use is extremely important.  However, what if it's not generally your focus?  If your job today is to find flaws in the cryptographic components of application א, where should you start? I like to start an audit by checking which crypto primitives are used. This often gives you an idea of … Continue reading Auditing code for crypto flaws: the first 30 minutes

How (not) to break your (EC)DSA

During an internal project pertaining to automated cryptographic testing, we discovered that many implementations don't respect standard specifications, especially signature algorithms. Let us take a deeper look into it. We will mostly discuss the DSA and ECDSA algorithms and their respective domains and parameters. It is important to know that both of those digital signature … Continue reading How (not) to break your (EC)DSA

What does “secure” mean for an authenticated cipher?

This week I am in Tokyo to present a research paper in cryptography at the 24th International Conference on Fast Software Encryption, the reference academic conference on symmetric crypto. This paper is the result of a semester project that I started last year during my master at EPFL, in collaboration with Damian Vizár from the … Continue reading What does “secure” mean for an authenticated cipher?

On CIA Crypto

On Tuesday, Wikileaks released a tranche of alleged Top Secret CIA documents, many involving explanations of their cryptographic requirements.   Reading through the documents turned out to be anticlimactic, the CIA’s cryptographic requirements are pretty boring, and that is how it usually works in cryptography. Quoting from the document, "These requirements are intended to ensure a … Continue reading On CIA Crypto

Why Replace SHA-1 with BLAKE2?

Unless you've lived under a rock for the last twelve years, you must know that the cryptographic hash function SHA-1 is broken, in the sense that it's not as secure as it should be: SHA-1 produces 160-bit digests, meaning that finding a collision (or two messages hashing to the same value) should take approximately 280 operations, … Continue reading Why Replace SHA-1 with BLAKE2?

Responding to Ticketbleed

Today Cloudflare publicly disclosed a software vulnerability in the F5 BIG-IP appliance. The following is our action report for clients utilizing the BIG-IP appliance.  It is worth noting that this only impacts appliances running the non-default Session Tickets option. Summary Ticketbleed is a high severity software vulnerability in the TLS stack of F5 BIG-IP appliances allowing a … Continue reading Responding to Ticketbleed